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Good morning Rebecca and Paul: 

In case you guys were not aware of this.mot sure if OMD or Mary M. in OHR is aware. 


http://www.nextgov.com/nextgov/ng_20110105_6716.php?oref=rss?zone=NGtodav 


Feds may weigh changes to information security 
requirements 


BY ALIYA STERNSTEIN 01/05/2011 

Before a military employee allegedly leaked a mountain of elassified doeuments to WikiLeaks, 
reportedly by downloading data to a musie CD, the White House had been in the middle of updating 
rules on reporting ageney network weaknesses. Obama offieials have not said whether they will 
revise the reporting guidelines further after ageneies eomplete self-evaluations of their elassified 
information proteetions. 

Under Offiee of Management and Budget rules issued in April 2010, ehief information offieers have 
been working within the eonfmes of the 2002 Federal Information Seeurity Management Aet to shift 
to an automated proeess for eomplying with the law's paperwork requirements. Instead of requiring 
managers to eheek boxes in reports to indieate eomplianee with seeurity protoeols, speeial software 
will eontinuously eolleet metries on the status of eontrols so that CIOs have a more aeeurate and 
eomprehensive view of vulnerabilities. Starting this month, CIOs must update the Homeland 
Seeurity Department monthly, rather than quarterly, on their overall seeurity postures by feeding 
summaries of these assessments to a eentral, governmentwide inbox ealled CyberSeope. 

Allan Paller, direetor of researeh at the SANS Institute, a eomputer seeurity think tank, suggested 
0MB refine the April FISMA guidanee by direeting CIOs to first automate and monitor what a 
eonsortium of nonprofit and ageney speeialists have defined as the 20 most critical FISMA controls. 

The top 20 include hardware and software configurations, wireless device control, and data leakage 
protection. Attempting to tackle the nearly 150 standard controls all at once could dilute agencies' 
time, money and ultimately security, Paller said. "The 20 critical controls make the defense against 
that type of attack extremely high priority," he added. 

0MB on Monday issued separate guidelines (see attachment) to agency heads on safeguarding 
Classified information that require a one-time report on compliance with information assurance! 

Controls, as well as adherence to other existing policies, such as steps to evaluate the trustworthiness 

of personnel. Agencies were told to conduct similar inspections regilarlf but as of now, are no| 

Ceguired to continue reporting on these self-assessments. White House officials on Wednesday said 




















their have not yet announced if they will call for additional i^orts on the ongoing self-evaluationsj 


Other security specialists discouraged the government from rushing to change the current 0MB 
requirements for reporting on computer security in response to the WikiLeaks breach. 

"There are pieces in [FISMA] that if properly followed by the letter of the law, and the regulations, 
greatly minimize the risk of things like this happening," said Hord Tipton, executive director of 
(ISC)2, a nonprofit group that certifies and trains information security professionals. "I think we 
have quite adequate hardware and technology to deal with it." 

But the government must evaluate more closely the people it tasks to follow the rules, cautioned 
Tipton, who served for five years as the Interior Department's chief information officer. 

"All of this depends upon people and people that we trust. We have to take an introspective look at 
how much we should trust people," he said. Also, "We might not have enough capable people to 
configure the technology. . . . You've got to recognize that all data is not the same and we're 
drowning in it. If we're going to live in a sea of data like this, we have to hire people who know how 
to deal with it." 
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